The field of the invention is systems and methods for providing multi-factor authentication of a user allowing login on a restricted website, or on an enterprise network with single sign-on, or on various other service systems with security restrictions. The multi-factor approach requires a user to present at least two factors of identification from a set of factors potentially including: (1) a knowledge factor; (2) a possession factor; and (3) an inherence factor. The knowledge factor refers to something the user knows, for instance a pin code or passphrase; the possession factor refers to something the user owns, for instance a security fob, a magnetic card, a cell phone, or a tablet computer; and the inherence factor refers to something the user is. The inherence factor could be determined using biometrics such as fingerprint, iris or voice analysis.
Single-factor authentication for a website or network typically only requires a user to log into an account by providing a username and associated password (knowledge factor only). Since passwords can easily end up in the wrong hands, this approach is not very secure. Therefore, enterprises and high-value web service providers such as banks often require at least a second factor, mostly the possession factor. As such, the mobile phone is becoming more popular, since it is ubiquitous and doesn't require banks to purchase, distribute, maintain and support dedicated hardware. Often in these cases, access to some service would be sought from a user device, which could be a computer, and authentication may involve a user-owned mobile device, which could be a cell phone. In some cases, these might be one and the same device, for instance if access is sought from a smartphone or a tablet computer.
Some websites have a two-factor authentication system that includes a button or link “Login with cell phone”. These websites may have a user enter his or her username or cell phone number (or this may be read from a browser cookie stored on the computer used to access the website). If the username or cell phone number is registered in these systems, the website sends an SMS text message to the user with a password that the user is required to manually enter back into the website. The website compares the code it sent to the device with the code the user entered. If they match, the user is considered authenticated and is logged in.
Existing systems have several disadvantages. Although two-factor authentication is used to increase security, most cell phones and tablet computers are very poorly protected against hacking and malware. As a result, malicious parties can devise several strategies to gain unauthorized access by electronic identity theft. These strategies may range from actually or virtually looking over an authorized person's shoulder when this person tries to log in, to installing Trojan horses or phishing software on the portable device, and more. One vulnerability is that an intruder may start access to a protected site in parallel with and slightly before an authorized user, pretending to be this user. The system will then send two messages (SMS or installed app) to the user's device. The user will typically first respond to the first one, unaware that this will grant access to the intruder. The intruder will be in, and the user will be out until he or she has responded to the second message.
Another disadvantage is that manually copying an access code or other information from a user device to a website is considered a nuisance for the user, which many commercial entities want to minimize.